Sprint says Virgin Mobile users are safe from account hijacks
Downplays report by developer that accounts are easily hackable
Computerworld - Sprint today denied that subscribers of its Virgin Mobile subsidiary were wide open to account hijacking attacks as claimed by an independent software developer this week.
In emailed comments, Sprint spokeswoman Stephanie Vinge Walsh said the company has multiple safeguards to protect customer accounts from intrusion and tampering by unauthorized users.
"It's important to note that there are many different overlapping safeguards in place to ensure our customers' privacy and security, and we have taken steps to further prevent intrusions and spoofing," Walsh said. "While we maintain confidentiality about our security measures, our customer accounts are monitored constantly for several types of activity that would indicate if something illegal or inappropriate may be taking place."
Walsh was responding to questions that arose from a Monday blog post by developer Kevin Burke. In it, Burke detailed how the username and password system used by Virgin Mobile to let users access their accounts online was inherently weak and open to abuse.
Virgin forces subscribers to use their phone numbers as their username and a six-digit number as their password, Burke noted.
Because the password is just six digits long, it is relatively easy to guess using brute-force password guessing tools, Burke claimed. Burke authored a password-guessing tool to crack his own password to demonstrate how easy it is to defeat Virgin Mobile's authentication. The tool was designed to test different 6-digit password combinations until it discovered the right one.
With the password and phone number, an attacker would be able to get a user's entire call records and texting history, change the handset associated with the number and change service address and password to lock the actual user out of an account, Burke wrote.
Burke said he went public with his discovery because Sprint did not fix the vulnerability after being told how easy it was to exploit. He also noted in his blog that Virgin Mobile subscribers had no easy way to mitigate any exposure to account hijacks.
In response, Sprint said it implemented a new procedure to lock out users from their accounts after four failed attempts. Burke described that move as ineffective because hackers could bypass it by making login attempts without sending any cookie data with the requests.
In her comments today, Walsh did not specifically address Burke's claims. Instead, she said the company has not received any reports of fraud affecting Virgin Mobile customers.
"We have had no unusual reports of fraud incidents or adverse consequences to our customers and believe that the total security measures in place prevent vulnerability of their accounts," Walsh said. "Payment card data is not visible on an account and we have additional processes in place to monitor and limit balance transfers and correction of inappropriate charges."
Walsh offered no details on what those measures might be.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is email@example.com.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts